I. Name and address of the Data Controller
The Data Controller, as defined in the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection provisions, is:
PKF Deutschland GmbH Wirtschaftsprüfungsgesellschaft
EUREF-Campus 10/11
10829 Berlin
Telephone: +49 30 306907-0
Fax: +49 30 306907-99
E-mail: info@nothing-important.pkf.de
Internet: www.pkf.de
Registered seat: Berlin
Commercial Register: Local Court (Amtsgericht) of Berlin (Charlottenburg), HRB 223843
Executive directors: WP StB Oliver Beier, WP StB Dr. Marc Danne, WP StB Christian Müller-Kemler, WP StB RA Ralph van Kerkom, WP StB Martin Wulf
II. General Information on Data Processing
1. Scope of the processing of personal data
We generally process the personal data of our users only to the extent necessary for the provision of a functional website and our content and services. The processing of the personal data of our users is routinely carried out only after users have given consent. This particularly applies for the use of socalled tracking technology (see item IV. - Use of cookies. An exception applies in those cases where obtaining prior consent is not possible for practical reasons and where the processing of the data is permitted by law.
2. Legal basis for processing personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) a) EU General Data Protection Regulation (GDPR) serves as the legal basis.
When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 (1) c) GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) d) GDPR serves as the legal basis.
If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) f) GDPR serves as the legal basis for the processing.
3. Data erasure and retention period
The personal data of the data subject get erased or blocked as soon as the purpose for retaining the data ceases to apply. Furthermore, data may be retained if this has been provided for by European or national legislators in EU regulations, laws or other provisions to which the Data Controller is subject. The data will also be blocked or erased if a retention period prescribed by the aforementioned standards expires, unless there is a need for further retention of the data for the conclusion or performance of a contract.
III. Provision of the website and creation of log files
1. Description and scope of data processing
Every time you call up our website our system automatically records data and information from the computer system of the accessing computer.
In the course of this, the following data are collected:
(1) Information about the browser type and version used
(2) The user's operating system
(3) The user's IP address
(4) Date and time of access
2. Legal basis for processing data
Art. 6 (1) f) GDPR is the legal basis for the temporary storage of data and log files.
3. Purpose of data processing
The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this purpose the user's IP address has to remain stored for the duration of the session.
The data is stored in log files in order to ensure the functionality of the website. Furthermore, we use the data to optimise the website and to ensure the security of our information technology systems. The data are not analysed for marketing purposes in this context.
Our legitimate interest in data processing pursuant to Art. 6 (1) f) GDPR also lies in these purposes.
4. Retention period
The data get erased as soon as they are no longer necessary for the achievement of the purpose of their collection. If the data were collected for the provision of the website this is the case once the respective session has ended.
The IP addresses are stored anonymously. For this purpose, the last one to three digits are removed, i.e. “127.0.0.1” becomes “127.0.0.0”. IPv6 addresses are also anonymized. The anonymized IP addresses are stored for 60 days. Details of the directory protection user used are anonymized after one day.
Error logs, which record incorrect page views, are deleted after seven days. In addition to the error messages, these contain the accessing IP address and, depending on the error, the website accessed.
5. Possibilities for objecting and removing
The collection of data for the provision of the website and storing data in log files is vital for the operation of the website. Consequently, there is no possibility for users to opt out of this.
IV. Use of cookies
1.) Description and scope of data processing
The website uses so-called system cookies in certain places, which do not store any user-relevant data.
External content, e.g. from Google or YouTube, can be accessed at certain points. It is pointed out beforehand that clicking on such an element establishes a connection to this service and that external cookies may be used.
2.) Legal basis for processing data
The legal basis for the processing of personal data using cookies is Art. 6 (1) f) GDPR and, if applicable, Art. 6 (1) a) GDPR.
3.) Purpose of data processing
The purpose of using cookies is to simplify the use of websites for users.
V. Career pages, contact form and e-mail contact
1. Description and scope of data processing
You can find out about job advertisements from our partner companies throughout Germany on our career pages. The job advertisements are published on our homepage by the respective partner companies. If you respond to an advertisement via a hyperlink/contact form, you will be deflected directly to the page of the respective partner of the PKF Deutschland network. Personal data will not be collected or transmitted on basis of a job advertisement via our homepage. The further application process as well as the handling of your personal data will be carried out in accordance with the privacy policy of the respective partner company.
However, on our website there is a contact form that can be used to contact us electronically. If a user chooses this option then the data entered into the input mask is transmitted to us and stored. These data are:
Last name,
First name,
Company,
E-mail
When you send a message the following data will also be stored:
(1) User’s IP address
(2) Date and time of dispatch
In the course of the dispatching process your consent to the processing of the data is obtained and reference is made to this Data Privacy Statement.
Alternatively, you can contact us using the e-mail address provided. In this case, the user's personal data transmitted with the e-mail are stored.
In this context, data will not be passed on to third parties. The data are used solely for the purposes of processing the conversation.
2. Legal basis for processing data
Legal basis for the processing of data for the contact form is Art. 6 (1) a) GDPR if the user has given his consent.
Art. 6 (1) f) GDPR is the legal basis for the processing of data transmitted in the course of sending an e-mail. Art. 6 (1) b) GDPR is the additional legal basis for the processing of data if the aim of the e-mail contact is to conclude a contract.
3. Purpose of data processing
Our sole purpose for processing the personal data from the input mask is to manage the establishment of the contact. In the case of a contact made by e-mail, the required legitimate interest in the processing of the data also lies therein.
The rest of the personal data processed during the dispatching process serves to prevent misuse of the contact form and to ensure the security of our information technology system.
4. Retention period
The data get erased as soon as they are no longer necessary for the achievement of the purpose of their collection. For the personal data from the input mask of the contact form and those transmitted by e-mail, this is the case when the respective conversation with the user has ended. The conversation will be deemed to have ended if, from the circumstances, it is possible to infer that the issue in question has been conclusively clarified.
5. Possibilities for objecting and removing
Users have the option of withdrawing consent for the processing of personal data at any time. If users contact us via e-mail they are thus able to object to the retention of their personal data at any time. In such a case it is not possible to continue the conversation.
All the personal data that were saved in the course of establishing contact would be erased in this case.
VI. Rights of the data subject
If your personal data are processed then you are deemed to be a data subject as defined in the GDPR and you are entitled to the following rights vis à vis the Data Controller:
1. Right to information
You can request confirmation from the Data Controller as to whether or not personal data that concern you are being processed by us.
If there is such processing then you may request the Data Controller to disclose the following information:
(1) the purposes of the processing for which the personal data are intended;
(2) the categories of personal data that are processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been disclosed or have yet to be disclosed;
(4) the planned period for which the personal data concerning you will be stored, or if it is not possible to provide specific criteria for this then the criteria used to determine the retention period;
(5) the existence of the right to rectification or erasure of personal data concerning you, the right to restrict the processing by the Data Controller or the right to object to this processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) all the available information about the origin of the data if the personal data have not been collected from the data subject;
(8) the existence of automated decision-making, including profiling pursuant to Art. 22 (1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information as to whether or not personal data concerning you will be transferred to a third country or an international organisation. In this connection, you may request information about the appropriate safeguards pursuant to Art. 46 GDPR in conjunction with such transmissions.
2. Right to rectification
Insofar as the processed personal data concerning you are inaccurate or incomplete you have the right to have these rectified or completed by the Data Controller. The Data Controller has to carry out the rectification without undue delay.
3. Right to restriction of processing
You may request a restriction on the processing of the personal data concerning you under the following conditions:
(1) if you contest the accuracy of the personal data concerning you for a period that enables the Data Controller to verify the accuracy of the personal data;
(2) if the processing is unlawful and you oppose the erasure of the personal data and, instead, you request the restriction of the use of the personal data;
(3) if the Data Controller no longer needs the personal data for the purposes of the processing, however, you need them for the establishment, exercise or defence of legal claims, or
(4) if you have objected to processing pursuant to Art. 21 (1) GDPR and the verification as to whether or not the legitimate grounds of the Data Controller override your grounds is still pending.
If the processing of personal data concerning you has been restricted, these data may only be processed - with the exception of storage - with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If you have obtained a restriction on processing based on the above-mentioned conditions then you will be informed by the Data Controller before the restriction is lifted.
4. Right to erasure
a) Obligation to erase data
You can request the Data Controller to erase the personal data concerning you without undue delay and the Data Controller is obliged to erase these data without undue delay if any of the following reasons apply:
(1) the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) you withdraw your consent on which the processing is based pursuant to Art. 6 (1) a) or Art. 9 (2) a) GDPR and where there is no other legal basis for the processing;
(3) you object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR;
(4) the personal data concerning you have been unlawfully processed;
(5) the personal data concerning you have to be erased for compliance with a legal obligation under EU law or the laws of Member States to which the Data Controller is subject;
(6) the personal data concerning you have been collected in relation to the offer of information society services pursuant to Art. 8 (1) GDPR.
b) Information to third parties
Where the Data Controller has made the personal data concerning you public and is obliged pursuant to Art. 17(1) GDPR to erase them, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the data controllers processing the personal data that you have requested erasure by them of any links to, or copy or replication of, these personal data.
c) Exceptions
The right to erasure shall not apply to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing under EU law or the laws of the Member States to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 (2) h) and i) as well as Art. 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR insofar as the right referred to in clause a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.
5. Right to be informed
If you have asserted your right to rectification or erasure of data or restriction of processing vis à vis the Data Controller then the latter is obliged to communicate the rectification or erasure of data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.
You are entitled vis à vis the Data Controller to the right to be informed about these recipients.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit those data to another data controller without hindrance from the Data Controller to which the personal data have been provided, insofar as:
(1) the processing is based on consent pursuant to Art. 6 (1) a) GDPR or Art. 9 (2) a) GDPR or on a contract pursuant to Art. 6 (1) b) GDPR and
(2) the processing is carried out with the help of an automated procedure.
In exercising this right you also have the right to have the personal data concerning you transmitted directly from one data controller to another data controller insofar as this is technically feasible. The rights and freedoms of other people may not be adversely affected because of this.
The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you that is based on Art. 6 (1) e) or f) GDPR; this also applies to profiling based on these provisions.
The Data Controller shall no longer process the personal data concerning you unless the Data Controller is able to demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or if the processing is intended for the establishment, exercise or defence of legal claims.
If the personal data concerning you are processed for direct marketing purposes then you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is connected with such direct marketing.
If you object to processing for direct marketing purposes then the personal data concerning you will no longer be processed for such purposes.
In the context of the use of information society services and notwithstanding Directive 2002/58/EC, you may exercise your right to object with the help of an automated procedure where technical specifications are used.
8. Right to withdraw data privacy statement of consent
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
This applies in particular to the storage of a tracking cookie, which can be immediately revoked electronically at the beginning of this statement via the hyperlink "Revoke cookie settings". A revocation can also be sent to us by letter, via e-mail or fax. In this case, however, a short processing time is to be accepted by you for the implementation of your revocation.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This will not apply if the decision:
(1) is necessary for the conclusion or performance of a contract between you and the Data Controller;
(2) is permissible under the laws of the Union or the Member States to which the Data Controller is subject and which also includes appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, or
(3) is made with your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 (1) GDPR if Art. 9 (2) a) or g) GDPR applies and appropriate measures have been adopted to safeguard your rights and freedoms as well as your legitimate interests.
With respect to the cases referred to in (1) and (3), the Data Controller will adopt suitable measures to safeguard your rights and freedoms as well as your legitimate interests that will at least include the right to obtain human intervention on the part of the Data Controller, to express your own point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
Aufsichtsbehörde Berlin (Supervisory Authority)
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin
Telephone: +49 30 13889-0
Fax: +49 30 2155050
E-mail: mailbox@nothing-important.datenschutz-berlin.de
www.datenschutz-berlin.de
11. Further information
Matomo
This website uses the open source web analysis service Matomo. Matomo uses technologies that enable cross-page recognition of the user to analyze user behavior (e.g. device fingerprinting). The information collected by Matomo about the use of this website is stored on our server. The IP address is anonymized before storage.
With the help of Matomo, we are able to collect and analyze data about the use of our website by website visitors. This enables us to find out, among other things, when which pages were accessed and from which region. We also record various log files (e.g. IP address, referrer, browser and operating system used) and can measure whether our website visitors perform certain actions (e.g. clicks, purchases, etc.).
The use of this analysis tool is based on Art. 6 (1) f) GDPR. The website operator has a legitimate interest in the anonymized analysis of user behavior in order to optimize both its website and its advertising. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 (1) a) GDPR and Art. 25 (1) TDDDG, insofar as the consent includes access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.
IP anonymization
We use IP anonymization for the analysis with Matomo. Your IP address is shortened before the analysis so that it can no longer be clearly assigned to you.
Hosting
We host Matomo exclusively on our own servers so that all analysis data remains with us and is not passed on.